b'Report No. DODIG-2012-140                 September 28, 2012\n\n\n\n\n\n    An Unreliable Chart of Accounts Affected Auditability\n\n    of Defense Enterprise Accounting and Management\n\n                   System Financial Data\n\n\x0cAdditional Copies\nTo obtain additional copies of this report, visit the Web site of the Department of Defense\nInspector General at http://www.dodig.mil/audit/reports or contact the Secondary Reports\nDistribution Unit at auditnet@dodig.mil.\n\nSuggestions for Audits\nTo suggest or request audits, contact the Office of the Deputy Inspector General for\nAuditing at auditnet@dodig.mil, or by mail:\n\n                      Department of Defense Office of Inspector General\n                      Office of the Deputy Inspector General for Auditing\n                      ATTN: Audit Suggestions/13F25-04\n                      4800 Mark Center Drive\n                      Alexandria, VA 22350-1500\n\n\n\n\nAcronyms and Abbreviations\nCOA                           Chart of Accounts\nDDRS                          Defense Departmental Reporting System\nDEAMS                         Defense Enterprise Accounting and Management System\nDFAS                          Defense Finance and Accounting Service\nERP                           Enterprise Resource Planning\nFISCAM                        Federal Information System Controls Audit Manual\nFMO                           Functional Management Office\nOFFM                          Office of Federal Financial Management\nOUSD(C)                       Office of the Under Secretary of Defense (Comptroller)\nPMO                           Program Management Office\nQRM                           Quick Reaction Memorandum\nSAF/FM                        Assistant Secretary of the Air Force for Financial\n                                 Management and Comptroller\nSFIS                          Standard Financial Information Structure\nUSAF                          U.S. Air Force\nUSSGL                         United States Standard General Ledger\nUSTRANSCOM                    U.S. Transportation Command\n\x0c                                     INSPECTOR GENERAL\n                                      DEPARTMENT OF DEFENSE\n                                      4800 MARK CENTER DRIVE\n                                   ALEXANDRIA, VIRGINIA 22350-1500\n\n\n\n\n                                                                              September 28, 2012\n\nMEMORANDUM FOR COMMANDER, U.S. TRANSPORTATION COMMAND\n               ASSISTANT SECRETARY OF THE AIR FORCE (FINANCIAL\n                 MANAGEMENT AND COMPTROLLER)\n\n\nSUBJECT: An Unreliable Chart of Accounts Affected Auditability of Defense Enterprise\n         Accounting and Management System Financial Data\n         (Report No. DODIG-201 2-140)\n\nWe are providing this report for your information and use. Unless the deficiencies identified in\nthis report are corrected, the Defense Enterprise Accounting and Management System\'s data\nreliability problems will likely impair DoD and U.S. Air Force abi lities to meet their\nFY 2014 and FY 2017 audit readiness goals.\n\nWe considered management comments on a draft of th is report when preparing the final report.\nThe Principal Deputy Assistant Secretary of the Air Force (Financial Management and\nComptroller) provided comments and responded for the Functiona l Manager, Defense Enterprise\nAccounting and Management System Functional Management Office. The Principal Deputy\nAssistant Secretary of the Air Force (Financial Management and Comptroller) comments\nconformed to the requirements of DoD Directive 7650.3; therefore, additional comments are not\nrequired.\n\nWe appreciate the courtesies extended to the staff. Please direct questions to me at\n(703) 604-8938 (DSN 664-8938).\n\n\n\n                                                f"W.-.1       (>) .   J""\\\\\n                                                 Richard B. Vasquez, CPA\n                                                 Acting Assistant Inspector General\n                                                 Financial Management and Reporting\n\x0c\x0c   Report No. DODIG-2012-140 (Project No. D2011-D000FH-0097.000)                            September 28, 2012\n\n\n                   Results in Brief: An Unreliable Chart of\n                   Accounts Affected Auditability of Defense\n                   Enterprise Accounting and Management\n                   System Financial Data\nWhat We Did                                                   addition, the approved plan for reporting directly to\n                                                              DDRS may challenge the USAF\xe2\x80\x99s ability to obtain\nThe U.S. Air Force\xe2\x80\x99s (USAF) auditability is\n                                                              audit readiness for the Statement of Budgetary\ndependent on successfully deploying the Defense\n                                                              Resources before the end of FY 2014. Further,\nEnterprise Accounting and Management System\n                                                              unforeseen delays with reporting SFIS financial data\n(DEAMS). The current DEAMS life-cycle cost\n                                                              directly to DDRS may impede USAF\xe2\x80\x99s ability to\nestimate is $2.1 billion. As of March 31, 2012,\n                                                              achieve audit readiness on the remaining financial\nDEAMS expenditures totaled approximately\n                                                              statements by FY 2017.\n$322.2 million.\n                                                              On November 14, 2011, we issued a Quick Reaction\nWe determined whether the DEAMS fulfilled\n                                                              Memorandum discussing the unauthorized changes to\nselected functional capabilities needed to generate\n                                                              the DEAMS COA.\naccurate and reliable financial management\ninformation.\n                                                              What We Recommend\nWhat We Found                                                 We recommend that the Assistant Secretary of the Air\n                                                              Force for Financial Management and Comptroller\nDEAMS lacked critical functional capabilities needed\n                                                              perform validations of the corrective actions for the\nto generate accurate and reliable financial\n                                                              unauthorized changes and inconsistencies in the\nmanagement information. DEAMS managers did not\n                                                              DEAMS COA before further deployment to ensure\nmaintain an adequate Chart of Accounts (COA). In\n                                                              the corrective actions are operating as intended.\naddition, DEAMS did not report Standard Financial\nInformation Structure (SFIS) financial data directly to\n                                                              The Functional Manager, DEAMS FMO, should\nthe Defense Departmental Reporting System (DDRS).\n                                                              implement monitoring controls to identify\nThese occurred because:\n                                                              inconsistencies in the DEAMS COA data, determine\n                                                              whether inconsistencies in the account data affected\n   x   Functional Management Office (FMO)                     any other areas of the system, and document policies\n       personnel did not monitor changes to the COA           and procedures for modifying the DEAMS COA.\n       and document policies and procedures for\n       modifying the COA, and\n   x   DoD and USAF management initially decided\n                                                              Management Comments and\n       not to report financial data directly to DDRS          Our Response\n       until fourth quarter FY 2016.                          The Principal Deputy Assistant Secretary of the Air\n                                                              Force (Financial Management and Comptroller),\nDEAMS data lacks validity and reliability. Unless             provided comments and agreed to the\nthe unauthorized changes and inconsistencies in the           recommendations for the Assistant Secretary of the\nDEAMS COA are corrected, DoD and USAF                         Air Force (Financial Management and Comptroller)\nmanagement cannot rely on DEAMS information to                and the Functional Manager, DEAMS FMO.\nmake sound business decisions. Further, DEAMS                 Therefore, no additional comments are required.\nmanagement cannot ensure updates to the DEAMS                 Please see the recommendations table on the back of\nCOA are performed correctly and consistently. In              this page.\n                                                          i\n\x0cReport No. DODIG-2012-140 (Project No. D2011-D000FH-0097.000)              September 28, 2012\n\n         Recommendations Table\n                 Management                Recommendations            No Additional\n                                          Requiring Comment         Comments Required\n         Assistant Secretary of the Air                         1\n         Force for Financial\n         Management and Comptroller\n         Functional Manager, Defense                            2.a, 2.b, 2.c\n         Enterprise Accounting and\n         Management System\n         Functional Management\n         Office\n\n\n\n\n                                                ii\n\x0cTable of Contents\n\nIntroduction\t                                                            1\n\n\n      Audit Objective                                                    1\n\n      DoD and USAF Audit Readiness                                       1\n\n      DEAMS Overview                                                     1\n\n      Financial Systems Requirements                                     2\n\n      Roles and Responsibilities                                         2\n\n      Internal Controls Not Effective for Maintaining an Adequate COA    3\n\n\nFinding. DEAMS Financial Data Reliability Challenges\t                    4\n\n\n      FMO Personnel Did Not Maintain an Adequate COA                     4\n\n      DEAMS Did Not Report SFIS Financial Data Directly to DDRS          8\n\n      SAF/FM Management Actions                                          9\n\n      Conclusion                                                        10\n\n      Recommendations, Management Comments, and Our Response            10\n\n\nAppendices\n\n      A. Scope and Methodology\t                                         13\n\n            Use of Computer-Processed Data                              14\n\n            Prior Coverage                                              14\n\n      B. DEAMS Deployment Schedule\t                                     15\n\n      C. Quick Reaction Memorandum\t                                     16\n\n      D. U.S. Air Force Memorandum Comments\t                            19\n\n      E. Defense Finance and Accounting Service Memorandum Comments\t    21\n\n\nGlossary\t                                                               23\n\n\nManagement Comments\n\n      U.S. Air Force Comments\t                                          24\n\n\x0c\x0cIntroduction\nAudit Objective\nOur overall objective was to determine whether the Defense Enterprise Accounting and\nManagement System (DEAMS) fulfilled selected functional capabilities needed to generate\ntimely, accurate, and reliable financial management information. The criteria related to the\nfunctional capabilities we reviewed did not require testing of the timeliness of the financial data.\nConsequently, we did not determine whether DEAMS provided DoD management with timely\nfinancial information. See Appendix A for the scope and methodology and prior audit coverage.\nSee the glossary for definitions of technical terms.\n\nDoD and USAF Audit Readiness\nAccording to the Office of the Secretary of Defense, auditable statements are needed to facilitate\ndecision-making, to comply with the law, and to reassure the public that DoD personnel are good\nstewards of their funds. DoD management plans to achieve audit readiness for the Statement of\nBudgetary Resources before the end of FY 2014. They also plan to meet the legal requirement to\nachieve full audit readiness for all DoD financial statements by FY 2017. The U.S. Air Force\xe2\x80\x99s\n(USAF) auditability is dependent on establishing an audit ready systems environment that\nincludes successfully deploying Enterprise Resource Planning (ERP) systems, including\nDEAMS, and interfacing them with other business and financial systems.\n\nUSAF\xe2\x80\x99s audit readiness faces challenges, such as the lack of a transaction-based general ledger\nand the inability to trace financial transactions from the business event to the financial statements\nand back. The problem is a direct result of a legacy accounting system based on 1960s\xe2\x80\x99\naccounting processes and procedures. USAF management expects the deployment of its target\nfinancial management systems and validation of the systems for compliance with the Federal\nFinancial Management Improvement Act to correct a weakness with its financial management\nsystems.\n\nDEAMS Overview\nDEAMS is an ERP initiative between USAF, the U.S. Transportation Command\n(USTRANSCOM), and the Defense Finance and Accounting Service (DFAS). Its purpose is to\nsupport the warfighter with timely, accurate, and reliable financial information enabling efficient\nand effective decision-making. DEAMS development is under the direction of the Office of the\nSecretary of the Air Force for Financial Management and Comptroller, and the Office of the\nSecretary of Defense Finance Accounting Operations and Financial Management Domain.\nDEAMS will generally improve financial management capabilities with Oracle Federal\nFinancials commercial-off-the-shelf software. DEAMS is scheduled to replace at least\n10 USAF financial legacy systems. The current life-cycle cost estimate is $2.1 billion. As of\nMarch 31, 2012, DEAMS expenditures totaled approximately $322.2 million.\n\nDEAMS\xe2\x80\x99 deployment schedule includes two increments. Deployment of the first increment\nbegan in July 2007 and is scheduled to end in FY 2016. DEAMS\xe2\x80\x99 second increment is scheduled\nfor deployment from FY 2016 through FY 2017. At the time of our review, the full deployment\ndate for DEAMS was scheduled for the third quarter of FY 2017. A portion of DEAMS\n\n\n                                                 1\n\n\x0cIncrement 1 was deployed to at least 1,200 USAF, USTRANSCOM, and DFAS users. When\nfully deployed, approximately 30,000 personnel will use DEAMS. See Appendix B for the\ncurrent deployment sites and deployment schedule.\n\nFinancial Systems Requirements\nDoD Components are required to follow the Office of Federal Financial Management (OFFM)\nregulation, OFFM-NO-0106, \xe2\x80\x9cCore Financial System Requirements,\xe2\x80\x9d January 2006, when\ndeveloping financial systems. OFFM-NO-0106 requires financial systems to have the ability to\nprovide consistent, standardized information for program managers, financial managers, agency\nexecutives, and oversight organizations. The regulation also requires core financial systems to\nprovide automated functionality to:\n\n    x   capture additions, modifications, and cancellations, including the date, time, and user\n        identification; and\n    x   generate an audit trail of all accounting classification structure additions, changes, and\n        deactivations, including effective dates of changes.\n\nThe Federal Information System Controls Audit Manual (FISCAM), February 2009, states\nmaster data serves as the basis for transaction processing. Master data policies and procedures\nrequire data owners to be responsible for the creation, deletion, and changes of master data and\nchanges to data characteristics. Further, master data provides the basis for ongoing business\nactivities and includes the General Ledger Account Structure and chart of accounts (COA). It is\ncritical that controls exist to ensure the integrity and quality of the data.\n\nOffice of the Under Secretary of Defense (Comptroller) (OUSD[C]) Memorandum, \xe2\x80\x9cDoD\nStandard Chart of Accounts in Standard Financial Information Structure (SFIS),\xe2\x80\x9d August 13,\n2007, directs the use of a DoD Standard COA in Component target general ledger accounting\nsystems. The COA aggregates transaction activity into account balances and reports those\nbalances to departmental reporting and other accounting systems. The DoD Standard COA is\ncomprised of United States Standard General Ledger (USSGL) accounts and DoD standard\naccount extensions to provide the detail required for budgetary, financial, and management\nreports.\n\nRoles and Responsibilities\nThe Assistant Secretary of the Air Force for Financial Management and Comptroller (SAF/FM)\nis responsible for exercising the comptroller and financial management functions of the\nAir Force, which include preparing the Air Force budget; directing cost and economic analysis\nprograms; and overseeing accounting and finance operations, systems, and reporting. The\nDEAMS Functional Management Office (FMO), which is comprised of personnel from USAF,\nUSTRANSCOM, and DFAS, 1 defines functional requirements. They also record, vet, and\nformalize the requirements before delivering them to the DEAMS Program Management Office\n(PMO).\n\n\n1\n From this point forward, when using \xe2\x80\x9cDEAMS FMO\xe2\x80\x9d or \xe2\x80\x9cFMO,\xe2\x80\x9d we are referring to the entity comprised of\npersonnel from USAF, USTRANSCOM, and DFAS.\n\n                                                     2\n\n\x0cInternal Controls Not Effective for Maintaining an\nAdequate COA\nDoD Instruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control Program (MICP) Procedures,\xe2\x80\x9d July 29,\n2010, requires DoD organizations to implement a comprehensive system of internal controls\nproviding reasonable assurance that programs operate as intended and evaluate the effectiveness\nof controls. We identified internal control weaknesses related to maintaining an adequate COA.\nSpecifically, DEAMS management was not monitoring updates to the COA or documenting\npolicies and procedures for modifying the COA. We will provide a copy of the report to the\nsenior official responsible for internal controls in the Air Force.\n\n\n\n\n                                               3\n\n\x0cFinding. DEAMS Financial Data Reliability\nChallenges\nDEAMS lacked critical functional capabilities needed to generate accurate and reliable financial\nmanagement information. Specifically, DEAMS managers did not maintain an adequate\nDEAMS COA. In addition, DEAMS did not report SFIS financial data directly to the Defense\nDepartmental Reporting System (DDRS). These conditions occurred because:\n\n   x   FMO personnel did not monitor updates to the COA as recommended by the FISCAM,\n   x   FMO personnel did not have documented policies and procedures for modifying the\n       COA, and\n   x   DoD and USAF management initially decided not to report financial data directly to\n       DDRS until fourth quarter of FY 2016.\n\nAs a result, DEAMS COA data lacks validity and reliability. Unless the unauthorized changes\nand inconsistencies in the DEAMS COA are corrected, DoD and USAF management cannot rely\non DEAMS information to make sound business decisions. Further, DEAMS management\ncannot ensure updates to the DEAMS COA are performed correctly and consistently. In\naddition, DEAMS\xe2\x80\x99 approved plan for reporting directly to DDRS may challenge the USAF\xe2\x80\x99s\nability to obtain audit readiness for the Statement of Budgetary Resources before the end of\nFY 2014. Further, unforeseen delays with reporting SFIS financial data directly to DDRS may\nimpede USAF\xe2\x80\x99s ability to achieve audit readiness on the remaining financial statements by\nFY 2017 and could result in increased cost and schedule growth.\n\nOn November 14, 2011, we issued a Quick Reaction Memorandum (QRM) that discussed\nunauthorized changes to the DEAMS COA and related audit trail deficiencies (see Appendix C\nfor the QRM). SAF/FM and DFAS provided responses to the QRM (see Appendix D for\nSAF/FM response and Appendix E for the DFAS response).\n\nFMO Personnel Did Not Maintain an Adequate COA\nFMO personnel did not maintain an adequate COA. Specifically, the DEAMS COA contained\nunauthorized changes and inconsistencies in account data. The FISCAM states that it is critical\nfor controls to exist over the integrity and quality of the data in the COA. In addition, the\nCOA provides the basis for ongoing business activities and should be carefully controlled. Each\ngeneral ledger account in the DEAMS COA includes several data fields, such as \xe2\x80\x9cCreation\nDate,\xe2\x80\x9d \xe2\x80\x9cUpdated By,\xe2\x80\x9d and \xe2\x80\x9cLast Update.\xe2\x80\x9d These fields are important for maintaining the audit\ntrail for DEAMS accounts. The DEAMS COA also includes an \xe2\x80\x9cEnabled Flag\xe2\x80\x9d data field, which\nindicates whether general ledger accounts in DEAMS are active and available for posting\ntransactions. However, the DEAMS COA was inadequate because FMO personnel were not\nmonitoring additions, deletions, or changes to COA data. Further, FMO personnel did not\ndocument policies and procedures for modifying the DEAMS COA.\n\n\n\n\n                                                4\n\n\x0cUnauthorized Changes to Accounts Reduced the Reliability of DEAMS\nFinancial Data\nUnauthorized changes to the \xe2\x80\x9cLast Update\xe2\x80\x9d and \xe2\x80\x9cEnabled Flag\xe2\x80\x9d fields occurred in 1,101 of 4,207\ngeneral ledger accounts. After we brought these unauthorized changes to FMO personnel\xe2\x80\x99s\nattention on September 8, 2011, they investigated and\n                                                                   A data coding error was\nfound that DEAMS identified AUTOINSTALL, which\n                                                              incorrectly changing and deleting\nis a default user account in the Oracle E-Business Suite,\n                                                                  the correct general ledger\nas the last user to update approximately 25 percent of\n                                                               account data and its audit trail.\nDEAMS\xe2\x80\x99 total general ledger accounts. According to\nFMO personnel, that many general ledger accounts should not have been updated by the user\nAUTOINSTALL. After continuing their research through September 30, 2011, FMO personnel\ndetermined that AUTOINSTALL was not updating the accounts. Rather, a data coding error was\nincorrectly changing and deleting the correct general ledger account data and its audit trail. This\ncaused any changes to these accounts to be untraceable. Specifically, the coding error changed:\n\n   x   \xe2\x80\x9cUpdated By\xe2\x80\x9d user to \xe2\x80\x9cAUTOINSTALL,\xe2\x80\x9d\n   x   \xe2\x80\x9cLast Update\xe2\x80\x9d date to \xe2\x80\x9cDecember 15, 2001,\xe2\x80\x9d and\n   x   \xe2\x80\x9cEnabled Flag\xe2\x80\x9d to \xe2\x80\x9cY.\xe2\x80\x9d\n\nBased on discussions with the DEAMS FMO, DFAS determined the coding error was a\nDEAMS \xe2\x80\x9csystematic issue.\xe2\x80\x9d\n\nAccording to FMO personnel, they received a patch from the system integrator to fix the coding\nerror that was incorrectly changing account data. FMO personnel stated that this patch would\ncorrect the majority of the inconsistencies in the DEAMS COA. However, FMO personnel\ntested the patch and determined the patch was not operating correctly. Therefore,\nFMO personnel rejected the patch and requested the system integrator develop another patch to\nresolve the data integrity problem. On March 16, 2012, more than six months after we initially\nnotified FMO personnel of the unauthorized changes, FMO personnel received a patch from the\nsystem integrator to correct the data coding error. According to FMO personnel, the patch is\nworking as intended.\n\nInconsistencies in COA Data Affected the Validity and Reliability of\nDEAMS Data\nThe May, June, and August 2011 DEAMS COAs included three types of inconsistencies in the\ncreation date and last update fields. FMO personnel did not identify these inconsistencies until\nwe brought them to their attention during the audit. Specifically, the inconsistencies in the\naccount data were:\n\n   x   last update dates occurred before creation dates,\n   x   the COA did not reflect all update dates, and\n   x   last update dates were replaced by older update dates.\n\nThe first type of inconsistency involved two general ledger accounts in the May, June, and\nAugust 2011 COAs that showed last update dates occurring before the account\xe2\x80\x99s creation date in\n\n                                                5\n\n\x0cDEAMS. An example is budgetary account 4550.900030 2, which summarizes allotment data.\nAccording to the DEAMS COA, this account\xe2\x80\x99s creation date was in October 2009. However, its\nlast update date listed was August 2009. Therefore, according to DEAMS\xe2\x80\x99 COA, account\n4550.900030 was updated two months before it was created. Because an account cannot be\nupdated before it is created, there should not be any update dates occurring before the creation\ndate. Table 1 shows the two accounts\xe2\x80\x99 creation dates and last update dates that appeared in the\nDEAMS COA.\n\n       Table 1. Accounts With Creation Dates After the Account\xe2\x80\x99s Last Update Dates\n                           May 2011 COA                    June 2011 COA           August 2011 COA\n      Account                             Last                          Last                      Last\n      Number            Creation                      Creation                    Creation\n                                         Update                       Update                     Update\n                         Date                          Date                        Date\n                                          Date                         Date                       Date\n    4550.900030      10/21/2009         8/10/2009    10/21/2009      8/10/2009   10/21/2009     8/10/2009\n    6000              3/31/2010         8/26/2009     3/31/2010      6/13/2011    3/31/2010     8/26/2009\n\n\nThe second type of inconsistency involved two general ledger accounts in the August 2011 COA\nwith last update dates that were not identified in the May and June 2011 COA. An example is\nbudgetary account 4900.900090 3, which summarizes the total expended balance. In the\nAugust 2011 COA, this account showed a last update date of March 2011. However, the\nMay and June 2011 COA showed a last update date of August 2009. If an update occurred in\nMarch 2011, as the August 2011 COA showed, then the May and June 2011 COAs should also\nhave reflected the March 2011 date. Table 2 shows the two accounts in the August 2011 COA\nwith last update dates that should have appeared in May and June 2011 COA.\n\n           Table 2. Last Update Dates That Should Have Appeared in Earlier COAs\n                                                            Last Update Date\n      Account Number\n                                   May 2011 COA             June 2011 COA           August 2011 COA\n    4610.900033                       1/13/2011                5/21/2011                  2/14/2011\n    4900.900090                       8/28/2009                  8/28/2009                3/21/2011\n\n\nThe third type of inconsistency involved general ledger accounts in the August 2011 COA with\nlast update dates that preceded the last update dates found in one or both of the May or\nJune 2011 COA. Specifically, four general ledger accounts in the August 2011 COA had a last\nupdate date that was before the last update date in the June 2011 COA. For example, budgetary\naccount 4610.900033 4, which relates to allotments and realized resources, had a last update date\nof May 21, 2011, in the June 2011 COA. However, in the August 2011 COA, the last update\ndate was February 14, 2011, which predates the last update in the June 2011 COA by more than\nthree months. FMO personnel emphasized that last update dates for accounts should never\nchange to an older date. Therefore, there was an error in the account data because the\n\n\n2\n  The title of DEAMS account 4550.900030 is \xe2\x80\x9cAnnAllotTargetCtl.\xe2\x80\x9d \n\n3\n  The title of DEAMS account 4900.900090 is \xe2\x80\x9cTotal Expended Balance.\xe2\x80\x9d\n\n4\n  The title of DEAMS account 4610.900033 is \xe2\x80\x9cAllotments \xe2\x80\x93 Realized Resources \xe2\x80\x93 SubAllotments\n\nReProgramming.\xe2\x80\x9d\n\n\n                                                      6\n\n\x0cAugust 2011 COA should not show a last update date that is older than the date in the May or\nJune 2011 COA. Table 3 shows the four accounts, along with their last update dates that\nappeared in the May, June, and August 2011 COAs.\n\n       Table 3. Older Update Dates Replaced Newer Update Dates in the August COA\n                                                    Last Update Date\n       Account Number\n                             May 2011 COA           June 2011 COA         August 2011 COA\n    1010.011                    5/13/2011              5/13/2011                9/3/2009\n    4550.900033                 10/21/2009              6/14/2011             10/21/2009\n    4610.900033                  1/13/2011              5/21/2011              2/14/2011\n    6000                         8/26/2009              6/13/2011              8/26/2009\n\n\nOn January 31, 2012, DEAMS personnel explained that they had not determined the root causes\nfor the remaining inconsistencies in the DEAMS COA. Therefore, they decided to develop\ncontrols to mitigate the risk of additional inconsistencies, which included:\n\n   x    developing standard operating procedures for General Accounting Configuration,\n   x    developing internal controls for code and Global Combat Support System-Air Force Field\n        Assistance Service Ticket review, and\n   x    identifying anyone capable of applying scripts to the DEAMS application and restricting\n        this ability to identifiable logins that track to specific team members.\n\nAccording to the National Institute of Standards and Technology, \xe2\x80\x9cGuide for Assessing the\nSecurity Controls in Federal Information Systems and Organizations,\xe2\x80\x9d June 2010, controls\nsimilar to those identified in the bullets above should have already been implemented.\nTherefore, these actions should have already been implemented before the inconsistencies in the\nDEAMS COA were identified.\n\nFMO Personnel Did Not Monitor the COA Data\nFMO personnel were not monitoring additions, deletions, or changes to COA data as\nrecommended by the FISCAM. Effective controls and oversight procedures over the COA\n                                    would have highlighted the unauthorized changes and\n   Unauthorized changes and         inconsistencies in the COA data to allow for timely\n  inconsistencies caused actual     investigation by FMO personnel. These undetected changes\n      audit data to be lost.        demonstrate a lack of oversight and monitoring of the\n                                    DEAMS COA data. According to information provided by\nFMO personnel, the unauthorized changes and inconsistencies caused actual audit data to be lost.\nTherefore, unless the unauthorized changes and inconsistencies are corrected, DoD and USAF\nmanagement cannot make sound business decisions because of DEAMS\xe2\x80\x99 lack of an adequate\nCOA. In addition, DEAMS COA data may not be valid and reliable.\n\nIn accordance with DoD Instruction 5000.02, \xe2\x80\x9cOperation of the Defense Acquisition System,\xe2\x80\x9d\nDecember 8, 2008, hardware and software alterations that materially change system\nperformance, including system upgrades and changes to correct deficiencies, should undergo\n\n                                               7\n\n\x0cOperational Test and Evaluation. The fundamental purpose of test and evaluation is to provide\nknowledge to assist in managing the risks involved in developing, producing, operating, and\nsustaining systems and capabilities. Therefore, USAF management should perform a validation\nof the corrective actions for the unauthorized changes and inconsistencies in the DEAMS COA\nbefore further deployment to ensure they are operating as intended. FMO personnel should\nimplement procedures to monitor DEAMS COA data. Further, FMO personnel need to\ndetermine whether inconsistencies in the account data affected any other DEAMS functional\nareas.\n\nFMO Personnel Did Not Have Documented Policies and Procedures\nfor Modifying the COA\nDEAMS FMO personnel did not document policies and procedures for modifying the DEAMS\nCOA. Although FMO personnel could explain the process to modify the COA, they did not have\nthe process documented. According to the National Institute of Standards and Technology, \xe2\x80\x9cAn\nIntroduction to Computer Security: The NIST Handbook,\xe2\x80\x9d October 1995, documentation of all\naspects of computer support and operations is important to ensure continuity and consistency.\nFormalizing operational practices and procedures with sufficient detail helps to eliminate\nsecurity lapses and oversights, gives new personnel\nsufficiently detailed instructions, and provides a           FMO personnel stated they had\nquality assurance function to help ensure that              not documented the processes for\noperations are performed correctly and efficiently.             COA changes because the\nFMO personnel stated they had not documented the           individual performing the changes\nprocesses for COA changes because the individual                 had received training.\nperforming the changes had received training. Further,\nthe individual performing the changes knew how to perform the updates to the DEAMS COA.\nHowever, because the processes were not documented, continuity and consistency of operations\nwould be affected if FMO has a change in personnel responsible for COA updates. As a result,\nDEAMS management cannot ensure that operations to update the DEAMS COA will be\nperformed correctly and efficiently. FMO personnel should document policies, procedures, and\ncontrols for modifying DEAMS COA data to ensure those operations are performed correctly\nand efficiently.\n\nDEAMS Did Not Report SFIS Financial Data Directly to DDRS\nDEAMS did not report SFIS financial data directly to DDRS 5. This occurred because DoD and\nUSAF management initially decided not to report the financial data in DEAMS directly to DDRS\nuntil the fourth quarter FY 2016. Public Law 111-84, \xe2\x80\x9cNational Defense Authorization Act for\nFiscal Year 2010,\xe2\x80\x9d October 28, 2009, requires DoD to assert that the financial statements are\nready for audit by no later than September 30, 2017. The Secretary of Defense\xe2\x80\x99s memorandum,\n\xe2\x80\x9cImproving Financial Information and Achieving Audit Readiness,\xe2\x80\x9d October 13, 2011, directs\nDoD management to achieve audit readiness for the Statement of Budgetary Resources before\nthe end of 2014. OUSD(C) Memorandum, \xe2\x80\x9cStandard Financial Information Structure (SFIS)\n\n\n\n5\n DDRS produces the official financial statements and budgetary reports for the Military Services and\nDoD agencies.\n\n                                                        8\n\n\x0cImplementation Policy,\xe2\x80\x9d August 4, 2005, requires systems containing financial information to\nprovide the ability to capture and transmit the SFIS data or demonstrate a cross-walking\ncapability to the SFIS format.\n\nIf DoD and USAF management continue with their approved plan for reporting directly to\nDDRS, USAF may face challenges in achieving its audit readiness goal for the Statement of\nBudgetary Resources by the end of FY 2014. 6 In addition, the plan may not give DoD and\nUSAF management sufficient time to ensure DEAMS reports SFIS financial data accurately to\nDDRS before the start of FY 2017. Unforeseen delays in reporting SFIS financial data directly\nto DDRS may impede DoD and USAF abilities to achieve audit readiness by FY 2017 and could\nresult in increased cost and schedule growth.\n\nIn response to the Secretary of Defense\xe2\x80\x99s memorandum and our audit, USAF management is\nevaluating alternatives to accelerate development and implementation of DEAMS to meet the\nFY 2010 National Defense Authorization Act\xe2\x80\x99s FY 2017 auditability mandate and the Secretary\nof Defense\xe2\x80\x99s Statement of Budgetary Resources auditability requirement. According to DEAMS\nFMO personnel, they developed a tentative plan for DEAMS to report directly to DDRS\nbeginning in April 2013. However, this tentative plan has not been formally approved. Since\nUSAF management is in the process of evaluating alternatives for reporting directly to DDRS in\nApril 2013, we did not make any recommendations.\n\nSAF/FM Management Actions\nWe issued a QRM, dated November 14, 2011, that discussed unauthorized changes to the\nDEAMS COA and related audit trail deficiencies (see Appendix C for the QRM). SAF/FM and\nDFAS provided responses to the QRM (see Appendix D for SAF/FM response and Appendix E\nfor the DFAS response). According to the comments, SAF/FM intends to complete the\nfollowing corrective actions in FY 2012:\n\n    x\t The Oracle E-Business Suite default user account AUTOINSTALL has been disabled.\n       The FMO is working with the developer on a new application interface script to facilitate\n       proper loading of changes to the COA.\n    x\t Change and Configuration Management processes and procedures are under review. The\n       DEAMS FMO and PMO have been directed to make no changes to the DEAMS baseline\n       configurations without approval from the DEAMS Change Control Board. The DEAMS\n       Change Control Board and SAF/FM are implementing industry standard Information\n       Technology Lifecycle Management processes.\n    x\t Controls for software quality are under review. Attention is directed to controls that\n       ensure appropriate reviews are being performed for software code (including scripts),\n       audit logs, and system-wide scans to detect malicious code and other vulnerabilities.\n    x\t Evaluation of tools to perform automated detection of any changes to baseline \n\n       configuration items and other settings is being conducted.\n\n\n\n6\n USAF\xe2\x80\x99s ERPs, including DEAMS, will not be fully deployed by 2014. As a result, USAF will rely on manual\ncontrols and legacy system enhancements to meet the FY 2014 goal of audit readiness for the Statement of\nBudgetary Resources.\n\n                                                     9\n\n\x0c   x\t A FISCAM review of DEAMS began on October 31, 2011, and will be completed before\n      the end of FY 2012.\n\nConclusion\nUnauthorized changes and other COA inconsistencies reduced the reliability of DEAMS\xe2\x80\x99 COA\ndata, eliminated critical audit trails, and may have affected other DEAMS functional areas.\nFMO personnel did not monitor additions, deletions, or changes to the COA and did not\ndocument the procedures needed to modify the COA. Unless the unauthorized changes and\ninconsistencies in the DEAMS COA are corrected, DoD and USAF management cannot rely on\nDEAMS information to make sound business decisions.\n\nDEAMS\xe2\x80\x99 approved plan for reporting directly to DDRS may not allow USAF to achieve its audit\nreadiness goal for the Statement of Budgetary Resources before the end of FY 2014. In addition,\nunforeseen delays with reporting SFIS financial data directly to DDRS may impede DoD and\nUSAF abilities to achieve audit readiness by FY 2017, and could result in increased cost and\nschedule growth.\n\nRecommendations, Management Comments, and\nOur Response\n1. We recommend that the Assistant Secretary of the Air Force for Financial Management\nand Comptroller perform validation of the corrective actions for the unauthorized changes\nand inconsistencies in the Defense Enterprise Accounting and Management System chart of\naccounts before further deployment to ensure the corrective actions are operating as\nintended.\n\nAssistant Secretary of the Air Force (Financial Management and\nComptroller) Comments\nThe Principal Deputy Assistant Secretary of the Air Force (Financial Management and\nComptroller), responded on behalf of the Assistant Secretary of the Air Force (Financial\nManagement and Comptroller). She agreed and stated they had completed the following\ncorrective actions:\n\n   x\t Disabled the Oracle E-Business Suite default user account, \xe2\x80\x9cAUTOINSTALL;\xe2\x80\x9d\n   x\t Directed the DEAMS PMO and FMO to make no changes to the DEAMS baseline\n      without approval from the DEAMS Executive Change Control Board;\n   x\t Developed and implemented an interim manual control review process for the COA; and\n   x\t Developed long-term strategy to perform automated detection of any changes to baseline\n      configuration items using the Oracle Governance Risk and Compliance module, which\n      will be implemented in the DEAMS environment for Release 2.\n\nShe also stated they have initiated a FISCAM review with an estimated completion date of\nSeptember 2012.\n\n\n\n\n                                               10\n\n\x0cOur Response\nComments from the Principal Deputy Assistant Secretary of the Air Force (Financial\nManagement and Comptroller) were responsive, and no additional comments are required.\n\n2. We recommend that the Functional Manager, Defense Enterprise Accounting and\nManagement System Functional Management Office:\n\n      a. Implement monitoring procedures to identify inconsistencies in the Defense\nEnterprise Accounting and Management System chart of accounts data.\n\nDefense Enterprise Accounting and Management System Functional\nManagement Office Comments\nThe Principal Deputy Assistant Secretary of the Air Force (Financial Management and\nComptroller), responded on behalf of the Functional Manager, DEAMS FMO. She agreed and\nstated DEAMS FMO had implemented additional manual internal controls to identify\ninconsistencies in the COA data. She also stated SAF/FM directed all changes to the DEAMS\nCOA be documented and approved prior to configuration changes. She added DEAMS FMO\nstarted reviewing audit logs and providing them to SAF/FMP for oversight on a recurring basis.\nFurther, she stated the Governance Risk and Compliance tools will subsume the manual controls\nwith systemic controls and will require systemically routed approvals for all changes to the\nDEAMS COA. The Governance Risk and Compliance tools will be implemented by\nFebruary 2013.\n\n      b. Determine whether the inconsistencies in the account data affected any other\nDefense Enterprise Accounting and Management System functional areas.\n\nDefense Enterprise Accounting and Management System Functional\nManagement Office Comments\nThe Principal Deputy Assistant Secretary of the Air Force (Financial Management and\nComptroller), responded on behalf of the Functional Manager, DEAMS FMO. She agreed and\nstated, based on a DEAMS FMO assessment of the DEAMS COA, none of the unauthorized\nchanges made to the COA impacted the financial records or account balances.\n\n      c. Document policies and procedures for modifying the Defense Enterprise\nAccounting and Management System chart of accounts.\n\nDefense Enterprise Accounting and Management System Functional\nManagement Office Comments\nThe Principal Deputy Assistant Secretary of the Air Force (Financial Management and\nComptroller), responded on behalf of the Functional Manager, DEAMS FMO. She agreed and\nstated DEAMS FMO and PMO updated the configuration and maintenance of DEAMS in the\nDEAMS Sustainment Plan. She also stated the DEAMS FMO and DFAS will publish an\ninternal standard operating procedure to address continuity and consistency of operations,\nincluding policies and procedures for modifying the DEAMS COA. The estimated completion\ndate is September 2012.\n\n                                              11\n\n\x0cOur Response\nComments from the Principal Deputy Assistant Secretary of the Air Force (Financial\nManagement and Comptroller) on Recommendations 2.a, 2.b, and 2.c were responsive, and no\nadditional comments are required.\n\n\n\n\n                                            12\n\n\x0cAppendix A. Scope and Methodology\nWe conducted this performance audit from January 2011 through July 2012 in accordance with\ngenerally accepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit objectives.\n\nWe reviewed COA information, criteria related to SFIS, and DEAMS transaction data.\nSpecifically, for the COA, we examined the FY 2011 Reporting USSGL COA; FY 2011 DoD\nStandard COA updated in August 2010 and April 2011; and DEAMS COAs updated in\nMarch 2011, May 2011, June 2011, and August 2011. During our SFIS review, we examined\nthe SFIS Business Rules (Version 7.0 and 8.0). We also examined the posted DEAMS\ntransaction data from the first quarter of FY 2011.\n\nWe conducted site visits to the DEAMS FMO; DEAMS PMO; and DFAS offices in Limestone,\nMaine, and Columbus, Ohio. In the National Capital Region, we visited the OUSD(C), Office of\nthe Deputy Chief Management Officer, and SAF/FM.\n\nTo determine whether DEAMS provided DoD management with accurate and reliable financial\nmanagement information, we compared the DEAMS COA to the USSGL COA and the DoD\nStandard COA to identify any differences between the account titles and normal balance\nindicators for accounts in the DEAMS COA, and the corresponding accounts in the USSGL\nCOA and DoD Standard COA. Additionally, we obtained the USAF and USTRANSCOM trial\nbalances from DDRS for September 2010 and March 2011. We reviewed the USAF\xe2\x80\x99s and\nUSTRANSCOM\xe2\x80\x99s trial balances for accounts not included in the DEAMS COA. Once we\nidentified the accounts in the USAF\xe2\x80\x99s and USTRANSCOM\xe2\x80\x99s trial balances that were not in the\nDEAMS COA, we reviewed the FY 2011 DoD Standard COA to identify if those specific\naccounts were reported in the DoD Standard COA.\n\nWhile comparing the May 2011, June 2011, and August 2011 DEAMS COA to each other, we\nidentified inconsistencies with the account data. Based on the inconsistencies identified, we\nperformed additional comparisons between the three versions of the DEAMS COA. We met\nwith DEAMS FMO personnel to discuss the potential inconsistencies with the accounts\xe2\x80\x99 dates.\nWe observed the accounts within DEAMS and discussed them with FMO personnel. Based on\nthe inconsistencies, we could not rely on the data from DEAMS to report on the results of our\ntesting. Specifically, we were unable to rely on the testing related to:\n\n   x   comparing the DEAMS COA to the USSGL and DoD Standard COA, and\n   x   identifying accounts in the USAF and USTRANSCOM trial balances not in the DEAMS\n       COA.\n\nIn our review of SFIS, we conducted meetings with FMO and Business Transformation Agency\npersonnel to determine whether DEAMS included all applicable SFIS business rules and whether\nDEAMS complied with these business rules. We conducted meetings with FMO personnel and\nobtained screenshots to determine whether DEAMS implemented mandatory SFIS data elements\n                                                13\n\n\x0crequired by the SFIS Transaction Library for items in the posted DEAMS transaction data from\nthe first quarter of FY 2011. We also compared the SFIS Oracle Standard Configuration Guide\nto the SFIS business rules and identified any differences or contradictions. Finally, we reviewed\nthe SFIS business rules to identify if any of the rules were vague, made general statements rather\nthan recommending specific approaches, or required the use of criteria that had not been\nestablished. Based on the inconsistencies found during the COA review, we were unable to rely\non the testing to determine whether DEAMS implemented all mandatory SFIS data elements.\n\nUse of Computer-Processed Data\nWe used DEAMS COA and transaction posted data from the first quarter of FY 2011. While\nreviewing the DEAMS COA to determine whether it complied with DoD requirements, we\nidentified inconsistencies in account data. As a result, the computer-processed data were not\nsufficiently reliable to support the findings and conclusions for testing USSGL and SFIS\ncompliance. We discuss the data reliability issues in the finding.\n\nPrior Coverage\nDuring the last 5 years, the Government Accountability Office (GAO), the Department of\nDefense Inspector General (DoD IG) and the Air Force Audit Agency (AFAA) issued six reports\nrelated to DoD Business Transformation and DEAMS. Unrestricted GAO reports can be\naccessed over the Internet at http://www.gao.gov. Unrestricted DoD IG reports can be accessed\nat http://www.dodig.mil/audit/reports. AFAA reports can be accessed from .mil domains over\nthe Internet at https://afkm.wpafb.af.mil/community/views/home.aspx?Filter=OO-AD-01-41 by\nthose with Common Access Cards.\n\nGAO\nGAO Report No. GAO-11-53, \xe2\x80\x9cDoD Business Transformation: Improved Management\nOversight of Business System Modernization Efforts Needed,\xe2\x80\x9d October 2010\n\nGAO Report No. GAO-08-866, \xe2\x80\x9cDoD Business Transformation: Air Force\'s Current Approach\nIncreases Risk That Asset Visibility Goals and Transformation Priorities Will Not Be Achieved,\xe2\x80\x9d\nAugust 2008\n\nGAO Report No. GAO-08-462T, \xe2\x80\x9cDefense Business Transformation: Sustaining Progress\nRequires Continuity of Leadership and an Integrated Approach,\xe2\x80\x9d February 2008\n\nDoD IG\nDoD IG Report No. D-2011-015, \xe2\x80\x9cInsufficient Governance Over Logistics Modernization\nProgram System Development,\xe2\x80\x9d November 2010\n\nAir Force\nAFAA Report No. F2010-0010-FB2000, \xe2\x80\x9cDefense Enterprise Accounting and Management\nSystem Accounting Conformance,\xe2\x80\x9d August 2010\n\nAFAA Report No. F2009-0004-FB2000, \xe2\x80\x9cDefense Enterprise Accounting and Management\nSystem Controls,\xe2\x80\x9d February 2009\n\n                                                14\n\n\x0c  Appendix B. DEAMS Deployment Schedule\n\n    DEAMS Release                         Deployment Site               Projected Release\n           Title                                                               Date\n                                                                            rd\n  Scott Air Force Base                  Scott Air Force Base               3 Quarter,\n  Tech Demonstration                                                        FY 2012\n  Increment 1, Release 1       Scott Air Force Base and Air Mobility       3rd Quarter,\n                               Command Sites without Transportation         FY 2013\n                                       Working Capital Fund\n  Increment 1, Release 2         Air Mobility Command Sites with           1st Quarter,\n                                Transportation Working Capital Fund         FY 2014\n                                            and MacDill\n  Increment 1, Release 3           Major Upgrade to Oracle R12             2nd Quarter,\n                                                                            FY 2014\n  Increment 1, Release 4           USTRANSCOM and Surface                  4th Quarter,\n                                   Deployment and Distribution              FY 2014\n                                             Command\n  Increment 1, Release 5         Air Force Sites in the Continental        2nd Quarter,\n                                            United States                   FY 2016\n                                                                            th\n  Increment 1, Release 6       Pacific Air Forces and U.S. Air Forces      4 Quarter,\n                                             in Europe                      FY 2016\n  Increment 2, Release 1       Air Force Materiel Command and Air          1st Quarter,\n                                       Force Space Command                  FY 2017\n                                                                            rd\n  Increment 2, Release 2             Foreign Military Sales and            3 Quarter,\n                                      Contingency Operations                FY 2017\nSource: DEAMS Business Case, January 5, 2012.\n\n\n\n\n                                                  15\n\n\x0cAppendix C. Quick Reaction Memorandum\n\n\n\n\n\n                    16\n\n\x0c17\n\n\x0c18\n\n\x0cAppendix D. U.S. Air Force Memorandum\nComments\n\n\n\n\n                     19\n\n\x0c20\n\n\x0cAppendix E. Defense Finance and Accounting\nService Memorandum Comments\n\n\n\n\n                     21\n\n\x0c22\n\n\x0cGlossary\nEnterprise Resource Planning System \xe2\x80\x93 an automated system using commercial off-the-shelf\nsoftware consisting of multiple integrated functional modules that perform a variety of business\nrelated tasks such as general ledger accounting, payroll, and supply chain management.\n\nIncrements \xe2\x80\x93 useful and supportable operational capabilities that can be developed, produced,\ndeployed, and sustained.\n\nMixed System \xe2\x80\x93 information system that supports both financial and non-financial functions of\nthe Federal Government or components.\n\nOperational Test and Evaluation \xe2\x80\x93 used to determine the effectiveness and suitability of a\nsystem under realistic operational conditions, including joint combat operations; used to\ndetermine if thresholds in the approved Capability Production Document and critical operational\nissues have been satisfied; assess impacts to combat operations; and provide additional\ninformation on the system\xe2\x80\x99s operational capabilities.\n\nPatches \xe2\x80\x93 additional pieces of code developed to address specific problems or flaws in existing\nsoftware.\n\nRisk \xe2\x80\x93 level of impact on entity operations (including mission, functions, image, or reputation),\nentity assets, or individuals resulting from the operation of an information system given the\npotential impact of a threat and the likelihood of that threat occurring.\n\nStatement of Budgetary Resources \xe2\x80\x93 provides, along with related disclosures, information\nabout how budgetary resources were made available and their status at the end of the period. It\nis the only financial statement predominantly derived from an entity\xe2\x80\x99s budgetary general ledger\nin accordance with budgetary accounting rules, which are incorporated into Generally Accepted\nAccounting Principles for the Federal Government.\n\nTarget Accounting System \xe2\x80\x93 a Federal Financial Management Improvement Act compliant\nsystem that is configured to post transactions to an internal USSGL compliant general ledger.\n\nVulnerabilities \xe2\x80\x93 flaws that can be exploited, enabling unauthorized access to Information\nTechnology systems or enabling users to have access to greater privileges than authorized.\n\n\n\n\n                                                23\n\n\x0cU.S. Air Force Comments\n\n\n\n\n\n                      24\n\n\x0c25\n\n\x0c26\n\n\x0c\x0c\x0c'